Full Report
I decided to spend some research time diving in depth into Identity and Access Management (IAM) within Microsoft Azure. I am going to show you within this blog how IAM permissions can be abused within an Azure…
Analysis Summary
# Tool/Technique: Azure IAM Privilege Escalation
## Overview
This technical research explores the abuse of Identity and Access Management (IAM) permissions within Microsoft Azure. The techniques focus on how specific Azure Role-Based Access Control (RBAC) permissions can be leveraged by an attacker to upgrade their own privileges or bypass security boundaries to access sensitive resources like Key Vaults.
## Technical Details
- **Type:** Technique (Cloud Privilege Escalation)
- **Platform:** Microsoft Azure (Cloud Infrastructure)
- **Capabilities:** Role assignment manipulation, custom role creation, and federated identity hijacking.
- **First Seen:** Various methods documented historically; summarized for modern environments in April 2024.
## MITRE ATT&CK Mapping
- **[TA0004 - Privilege Escalation]**
- **[T1098 - Account Manipulation]**
- **[T1098.003 - Additional Cloud Roles]**
- **[TA0003 - Persistence]**
- **[T1136.003 - Cloud Account]**
- **[TA0006 - Credential Access]**
- **[T1528 - Steal Application Access Token]**
## Functionality
### Core Capabilities
- **Microsoft.Authorization/roleAssignments/write:** Allows an attacker to assign a privileged role (like Owner or Contributor) to themselves or another principal.
- **Microsoft.Authorization/roleDefinitions/write:** Enables the creation of "God-mode" custom roles. An attacker can create a role with `"*"` (wildcard) permissions and then assign it to their account.
- **Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write:** Allows an attacker to link an external OpenID Connect (OIDC) provider (e.g., GitHub Actions) to an existing Azure Managed Identity.
### Advanced Features
- **Stealthy Identity Hijacking:** By using Federated Identity Credentials (FIC), an attacker can authenticate as a Managed Identity from an external infrastructure (like a GitHub runner) without needing to export secrets or certificates, leaving minimal footprints compared to traditional credential theft.
## Indicators of Compromise
- **File Hashes:** N/A (Standard CLI tools used).
- **File Names:** N/A.
- **Registry Keys:** N/A.
- **Network Indicators:**
- `https://token.actions.githubusercontent[.]com` (Commonly abused OIDC issuer).
- Connections to Azure Management APIs from unexpected IP ranges or GitHub Action runners.
- **Behavioral Indicators:**
- `az identity federated-credential create` commands executed by unexpected users.
- Unexpected assignments of the "User Access Administrator" or "Owner" roles.
- Creation of custom roles with highly permissive JSON definitions.
## Associated Threat Actors
- While specific groups aren't named, these techniques are standard for **Cloud-focused Red Teams** and **Advanced Persistent Threats (APTs)** targeting cloud infrastructure for data exfiltration.
## Detection Methods
- **Behavioral Detection:**
- Monitor Azure Activity Logs for `Create Role Assignment` and `Create or Update Role Definition` operations.
- Alert on `Create Federated Identity Credential` events, especially those linking to external GitHub repositories or unknown OIDC issuers.
- **SIEM Integration:** Correlate IAM changes with the principal's typical behavior and geographic location.
## Mitigation Strategies
- **Principle of Least Privilege (PoLP):** Ensure that only a strictly limited number of administrators have the `RoleAssignment/Write` or `RoleDefinition/Write` permissions.
- **Conditional Access Policies:** Restrict where administrative actions can be taken from (e.g., requiring compliant devices or specific IP ranges).
- **PIM (Privileged Identity Management):** Require Just-In-Time (JIT) access and multi-party approval for assigning or creating roles.
- **Guardrails:** Use Azure Policy to restrict the creation of federated identity credentials to approved issuers only.
## Related Tools/Techniques
- **MicroBurst:** A PowerShell toolkit for Azure security assessments.
- **Roadtools:** A framework for interacting with Azure AD.
- **Azure Hound (BloodHound):** Used to map out complex IAM relationship paths for privilege escalation.